Insufficient fulfilment of data subject's rights
Failure to take appropriate measures for processing of personal data
Failure to take appropriate technical measures
Failure to mark object under video surveillance
Comment


In 2022, the Croatian Personal Data Protection Agency (AZOP) intensified its activity, imposing more than 10 administrative fines for violation of the provisions of the EU General Data Protection Regulation (GDPR) and the Act on the implementation of the General Data Protection Regulation. The AZOP imposed four noteworthy administrative fines. This article discusses the details of each.

Insufficient fulfilment of data subject's rights

In March 2022, the AZOP imposed an administrative fine of 940,000 Croatian kunas (approximately €125,000) on an unnamed company from the energy sector for its failure to provide video surveillance camera recordings (copies of personal data) at the request of the data subject. This represented a breach of article 15(3) of the EU GDPR.

The data subject used the services of a gas station at one of the company's branches and, unsatisfied with the measurement of fuel consumption, filed a complaint in accordance with consumer protection regulations. After that, to better protect his consumer rights, he requested the delivery of copies of his personal data via a copy of the video surveillance camera recording, specifying the exact date and time.

The company refused the data subject's request and stated that:

  • it had received no written request from the competent authorities for the delivery of a copy of the recording;
  • the purpose of the request was not justified; and
  • obtaining such a copy would negatively affect the rights and freedoms of the employees of the gas station and customers who were present at that moment.

The AZOP found that in the case in question, the company had violated the data subject's right to access his personal data – namely, to obtain a copy of the recording – which is one of the fundamental rights under the EU GDPR.

Failure to take appropriate measures for processing of personal data

The AZOP imposed an administrative fine of 675,000 Croatian kunas (approximately €70,000) on a retail chain company for its failure to take appropriate security measures in relation to the processing of personal data, which resulted in the unauthorised processing of personal data of the complainants through their publication on social networks and in the media. This constituted a breach of articles 32(1)(b), 32(1)(d), 32(2) and 32(4) of the EU GDPR.

One of the employees of the company, without authorisation and contrary to internal instructions, recorded video surveillance footage with their mobile device and published it on social networks and in the media.

The AZOP found that the company had not taken adequate actions to prevent its employees from taking video surveillance images using their mobile devices.

Failure to take appropriate technical measures

In July 2022, the AZOP imposed an administrative fine of 2.15 million Croatian kunas (approximately €286,000) on a telecoms company.

In 2021, the company experienced a significant security breach, which resulted in the unauthorised processing of personal data of 28,085 data subjects (for further details, please see "GDPR: three years on").

The AZOP found that the company had not taken the necessary measures to achieve an adequate level of security in accordance with the existing and foreseeable risks and acted contrary to article 32(1)(b) and (d) and article 32(2) of the EU GDPR.

The AZOP also emphasised that the company in question provides IT services not only to other mobile operators, banks and government institutions in Croatia, but also to companies abroad (eg, the United States, the United Kingdom and the Netherlands). Therefore, there should be a proper process in place to:

  • provide opinions and guidelines;
  • propose solutions to controllers on the implementation of web applications; and
  • design and implement appropriate technical measures to protect the processing of personal data.

Failure to mark the object under video surveillance

The AZOP imposed an administrative fine of 30,000 Croatian kunas (approximately €4,000) on a car dealership company based in Zagreb for the non-marking of a facility under video surveillance.

The AZOP directly supervised the processing and enforcement of personal data protection, collection and processing of personal data made by the video surveillance system. It also determined that the company had failed to indicate that the business facility (in which technical inspections and vehicle registration are carried out and insurance services are contracted) and the external surface of the business facility are under video surveillance.

Additionally, in December 2022, on several occasions, and without prior notice, the AZOP directly supervised the processing and enforcement of personal data protection in connection with the collection and processing of personal data through video surveillance systems carried out by companies in gambling, betting, hospitality and trade sectors.

The AZOP stated that it found breaches of article 27(1) or (2) of the EU GDPR in 10 cases for which the AZOP imposed fines in the total amount of 186,000 Croatian kunas (approximately €25,000).

Comment

It seems that the AZOP's activity and practice will continue to increase.

At the end of 2022, the largest personal data leak in Croatia's history occurred. Personal data of more than 70,000 data subjects held by a debt collection company was compromised. The data leaked included the cell phone numbers and email addresses of the data subjects, as well as the amount of money owed to the agency.

The case is currently being investigated by the AZOP.

For further information on this topic please contact Ivana Manovelo or Zrinka Buzatović at Maćešić & Partners by telephone (+385 51 215 010) or email ([email protected] or [email protected]). The Maćešić & Partners website can be accessed at www.macesic.hr.